Combating the Rise of the K-12 Cyberattack
February 01, 2024
Appears in February 2024: School Administrator.
Superintendents draw on their districts’ recent victimization to encourage expediency and strategic planning
On a Wednesday in January 2022, Albuquerque Public Schools’ technology team detected something fishy in the student information system. Hackers had breached the district’s Synergy Student Information System with a ransomware attack.
“We shut everything down immediately,” says Scott Elder, superintendent of the 70,000-student district. “We were forced to close Thursday and Friday” before reopening after Martin Luther King Jr. Day.
The attack was part of an intensifying trend of cyberattacks on K-12 districts as criminals often perceive schools to be easy prey. Cyberthieves presume schools maintain low defenses compared with large corporations or federal government agencies. Hackers also recognize that public schools benefit from consistent, stable funding pipelines compared to many private companies.
Ransomware attacks last year impacted 1,981 schools across the U.S., almost double the 1,043 schools affected in 2021, according to a report by anti-malware company Emsisoft. Albuquerque was one of 45 U.S. school districts hit by ransomware attacks in 2022, the report said.
The uptick has challenged superintendents nationwide to respond more quickly and effectively to cyberattacks, to step out of their familiar comfort zone as educators and to prioritize tech defense at a higher level.
In Albuquerque, Elder says the cybersecurity contingency plan triggered the school shutdown as well as a process to review movement of students’ data. But because the district had no vendor contracts specifically for cyberattack response, the district made an emergency school board request for more than $250,000, to be paid to the cyber forensics company conducting the audit, the superintendent says.
The contract yielded immediate results, as auditors determined that hackers had encrypted students’ personally identifiable information without moving the data anywhere.
From the experience, the district learned future cybersecurity contracts should be executed before an intrusion occurs.
Assessing Vendors
Hackers often target school districts through their business vendors — such as Synergy SIS — as education companies store large tranches of teachers’ and students’ personal information, regarded as currency for cyberthieves seeking to profit from data theft. K-12 cyberattacks are so common the Consortium for School Networking released a tool for districts to assess the strength of vendors’ information, data and cybersecurity policies before agreeing to a service contract.
The FBI and local police department advised the Albuquerque district to generalize descriptions of the cyberattack and to judiciously omit in public communications the more granular details of the law enforcement investigation, Elder says.
“You don’t know what the bad actors are listening to,” he says. “You want to make sure you just give them enough information to say, ‘The data breaches occurred. At this time, it doesn’t appear that anything’s been compromised. We’re moving forward [with] mitigation, and as soon as we can open [schools], we’ll let you know.’”
Because no data had been compromised, the attack did not force district officials to consider paying ransom.
In the aftermath of the incident, the district created a new position for a chief security officer to specifically focus on cybersecurity, a change from the district’s former treatment of cybersecurity as one among several information technology priorities.
Cyber-Protection Emphasis
For many superintendents, cybersecurity is a secondary consideration in a world of competing financial, academic and social priorities. Often, school districts don’t think to prioritize cybersecurity with any specific financial or strategic direction until an intrusion occurs.
Shannon Goodsell, superintendent of the 2,000-student Window Rock Unified School District, located in Navajo territory in Arizona, called the recent surge in K-12 cyberattacks “uncharted waters,” adding that it’s testing school leaders in new ways.
“I’m an educator,” Goodsell says. “I teach kids. I don’t do cybersecurity. We hire people to do that, and I think that you’ll find that with 95 percent of all the superintendents that you talk to.”
But when Ivory Coast-based hackers launched a Trojan Horse attack on Window Rock’s financial data in August 2022, Goodsell entered the fray. The thieves put up a firewall around the data and held it for $1 million ransom.
“We told them no, and we kind of stalled,” he says. “We had our insurance company techies battle the internet pirate techies in what I call the ‘Great Techie War’ of us trying to hack their firewall.”
Window Rock’s cyber insurance company for two weeks couldn’t hack the thieves’ firewall. But then Goodsell devised a solution: a double firewall. “What I ordered then is [to] put up an encrypted firewall around their firewall, [which] sealed all of that financial data for forever,” he says.
Neither Window Rock nor the hackers could access the data at that point, reflecting a kind of stalemate between the two sides. Window Rock worked with the FBI, CIA and Department of Homeland Security to ensure students’ and teachers’ data remained safe after the breach.
Though employee payroll and vendor payments were two weeks late because of the breach, no students’ or teachers’ personal data were compromised, according to Sheldon Yazzie, director of technology for Window Rock schools. Staff were reassured they would get repaid for any overdraft fees through the district’s insurance carrier.
Fortunately and proactively, the district had purchased cyber insurance the third week of July 2022, about two weeks before the attack, according to a CoSN blog post by Goodsell. Though the insurance was in place, the superintendent said he would give his district a cybersecurity rating of 4 out of 10 at the time of the breach.
Window Rock USD had reached out to all K-12 districts in Navajo and Apache counties to get advice on responding to the breach, yet 90 percent of those districts didn’t have a cybersecurity response plan in place, Yazzie says. Neither did Window Rock.
But even as districts look to nestle cybersecurity into their ever-evolving priority lists, Yazzie recommends that districts take several baby steps to shore up their IT networks.
These baby steps include some form of domain name system, or DNS, protection, which filters unwanted traffic and puts suspicious URLs on a blacklist. Yazzie also suggests the use of local administrator password solutions, which randomize passwords on servers, minimizing the ability of cybercriminals to access entire networks if they somehow gain access to these passwords.
Further, districts can fortify their cybersecurity through routine use of multifactor authentication and through strengthened endpoint detection and response services, which are installed on users’ devices and essentially merge antivirus and malware detection functions.
Spear-Phishing Detection
The 39,000-student Beaverton Public Schools, located in a suburb of Portland, Ore., was alerted to a spear-phishing attack about seven years ago after the manager for a high school construction project noticed none of the applications on her district-issued laptop were working correctly.
The hackers crafted a fake e-mail posing as one of the companies she did business with, according to Beaverton’s chief information officer, Steven Langford. The e-mail requested the manager approve some adjustments for the $180 million project and took her to Adobe’s sign-in page. Her login failed, but cybercriminals now had her credentials.
The Nigeria-based hackers hoped that obtaining the credentials would set the stage to wire-transfer some project funds into their account.
But Beaverton benefited from sound accounting practices that prevented wire transfers at the time, Langford says. The district policy requires that bank information is never provided over the phone, even if a caller identifies him or herself as an employee of a district vendor.
With the stolen credentials, the hackers’ “quick score” would have been the finance account numbers, Langford says, and the FBI had informed the district that the hackers hunted hundreds of victims this way. “They were monitoring, waiting for the [money] to come in, so they could make the transfer, make the switch, pull the money and go,” he says.
The school district already was using role-based security at the time, but since then has implemented virtual private network access for critical applications, intrusion-detection applications to monitor anomalous traffic and multifactor authentication, among other measures.
Cloud Data Transfers
Though it’s never good when a cyberattack hits a school district, the summer 2019 timing of cyberterrorists’ intrusion into the financial system of Coventry Public Schools, located southwest of Providence, R.I., blunted the potential educational impact on the district’s 5,000 students.
The district’s insurance company paid about $300,000 in ransom to Eastern Europe-based cyber thieves after the hackers encrypted the district’s financial system in July 2019, according to Craig Levis, who was Coventry’s superintendent at the time. As soon as he became aware the attack was ransomware-based, he gave the cyber insurance company broad control over the technical and tactical aspects of the response.
The ransom payment and negotiation yielded a digital key that allowed the district to regain access to its financial system. To independently troubleshoot the problem without paying ransom would have taken months, Levis says.
“The state police [told] us not to pay their ransom for attack,” he says. “But we needed our financial data back.”
Despite the criminals’ loathsome activities, the hackers had an “honor amongst thieves” reputation, wherein their victims regularly reported they received their data back following the ransom payment, Levis says.
The timing of the mid-summer attack allowed the district to fully rectify the data issue before students returned to school in the fall. But unanticipated issues arose in the days after the breach. Coventry’s servers went down for five days, catalyzing a shutdown of the digitally controlled HVAC system in the district’s middle schools. Black mold spread throughout the facilities, Levis says.
Insurance covered $500,000 in mold remediation during the following three weeks.
Summer break gave the district ample time to wipe clean all of its Chromebooks and desktops of “any information or any software” after the intrusion, Levis says. Those devices were reloaded with proper software before the start of school.
Coventry transferred all financial data from physical servers to the secure cloud because bad actors had poked around those physical servers for several months, Levis says. It’s quite easy for hackers to gain access to targets’ personal data residing in physical servers that have already been breached.
“All it takes is somebody opening up an attachment,” Levis says. “That bad actor has access to everything.”
Brian Bradley is a freelance education writer in Bunker Hill, W.Va.
Author
Common Types of K-12 Cyberattacks
While cyberattacks span a wide spectrum of breaches, there are a few types that K-12 administrators should look out for. This list is not exhaustive but should provide some tips on how to identify certain attacks.
Ransomware.
This form of attack locks one or more information technology systems until schools pay the attacker. Albuquerque Public Schools in New Mexico and Coventry Public Schools in Rhode Island both encountered this type of attack, with hackers encrypting the former’s student information system and the latter’s financial system.
As soon as hackers breached Coventry, district employees’ financial system login info wasn’t working. The e-mail service shut down as well. In Albuquerque’s attack, the district’s technology security team examined the network and detected that potentially someone other than faculty and students had intruded into the SIS.
In both cases, the districts sent out notifications immediately. Albuquerque immediately closed school for two days. Coventry didn’t have that need because its attack happened in July. However, the district instructed staff not to use their work e-mail until the investigation had concluded.
Trojan Horse.
A Trojan Horse attack involves hiding a malicious program inside an apparently legitimate one. When the ostensibly harmless program is used, hidden malware can open a backdoor through which hackers can penetrate the K-12 network.
Window Rock Unified School District in Arizona encountered this type of attack. “The first thing that [the attack] tried to do is to take the [financial] account codes and then take the money and then wire-transfer it out to banks,” Shannon Goodsell, the district superintendent, says. Window Rock’s check-and-balance system prevented any money from getting wired, as new wire-transfer requests must go through county financial processes, and even Goodsell doesn’t have the authority to randomly send funds.
To prevent Trojan Horse attacks, cybersecurity company Fortinet recommends users not download or install any programs until or unless the source can be verified.
Phishing.
Steve Langford, chief information officer in Oregon’s Beaverton Public Schools, describes the classic phishing attack as a “spray and pray” ordeal. Hackers send a spurious e-mail to a wide range of recipients in a network, hoping one person will click a link that will siphon their personal credentials. Bad actors phished Beaverton this past Sept. 1, with customized e-mails sent to every school in the district appearing to be from each school’s principal.
Cybercrime outfits research the writing of organizational leaders, such as building principals, Langford says. “They follow on Facebook. They get access to everything published on the web. They get the CEO’s voice,” he says.
Fortinet advises users to think carefully about the types of e-mails they open, to pay close attention to e-mail headers and not click on anything that looks suspicious.
Spear-Phishing.
This is more sophisticated than basic phishing but follows the same general format of bad actors relying on a target to provide their credentials through clicking a spurious link. Unlike phishing, spear-phishing identifies a specific, high-value target ahead of time, where cybercriminals tailor an e-mail in hopes of gaining access to that target’s data.
Criminals sought a $50,000 to $100,000 wire transfer following a spear-phish of Beaverton’s network in 2015, Langford says. Much like cyberthieves’ attempt to extort Window Rock via wire transfer, Beaverton’s policies and processes weren’t even set up to enable such a wire transfer eight years ago, Langford says. “We had additional protocols in place, so that we could mitigate the risks.”
— Brian Bradley
Advertisement
Advertisement
Advertisement
Advertisement